From 6fe1ff710b5e543384b2c78eeee35c999b444364 Mon Sep 17 00:00:00 2001
From: Julien (jvoisin) Voisin
Date: Tue, 1 Mar 2016 13:34:27 +0100
Subject: Add a rule to catch fancy .htaccess tricks

---
 php-malware-finder/malwares.yara                | 1 +
 php-malware-finder/samples/artificial/dodgy.php | 2 +-
 php-malware-finder/tests.sh                     | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index b47dce3..edb1ffb 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -188,6 +188,7 @@ rule DodgyStrings
 {
     strings:
         $ = ".bash_history"
+        $ = /AddType\s+application\/x-httpd-php\s+\.htaccess/
         $ = ".mysql_history"
         $ = ".ssh/authorized_keys"
         $ = "/(.*)/e"  // preg_replace code execution
diff --git a/php-malware-finder/samples/artificial/dodgy.php b/php-malware-finder/samples/artificial/dodgy.php
index 1c85f39..3aac254 100644
--- a/php-malware-finder/samples/artificial/dodgy.php
+++ b/php-malware-finder/samples/artificial/dodgy.php
@@ -15,4 +15,4 @@ $c = "env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'";
 fsockopen (  'udp://');
 call_user_func('LOL');
 $d = "<!--#exec cmd=";
-
+$c = "AddType application/x-httpd-php .htaccess"
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh
index 7566e89..fe9141a 100755
--- a/php-malware-finder/tests.sh
+++ b/php-malware-finder/tests.sh
@@ -73,6 +73,7 @@ run_test artificial/dodgy.php '0x18d:$shellshock: () { :;};'
 run_test artificial/dodgy.php '0x169:$pr: preg_replace ("/\*/e'
 run_test artificial/dodgy.php '0x1e0:$user_function: call_user_func'
 run_test artificial/dodgy.php '0x1fd:$various: <!--#exec cmd='
+run_test artificial/dodgy.php '0x214:$: AddType application/x-httpd-php .htaccess'
 
 run_test artificial/bypasses.php 'DodgyPhp'
 run_test artificial/bypasses.php '0x6d:$execution: call_user_func_array($_POST'
-- 
cgit v1.3